X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fextra%2Fm_ssl_openssl.cpp;h=a70bffb3c016c3d07cd7952d1ad4e149ed536e44;hb=b7716ed57704b2b2bcc665a590aecc8f02de631d;hp=4cd8ab29a10bee2d5a58c67d19cadbb4d38947fe;hpb=ee7ac5aaede95eb82ecc948d0e52ad01ddeaa6c9;p=user%2Fhenk%2Fcode%2Finspircd.git

diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp
index 4cd8ab29a..a70bffb3c 100644
--- a/src/modules/extra/m_ssl_openssl.cpp
+++ b/src/modules/extra/m_ssl_openssl.cpp
@@ -26,6 +26,7 @@
 
 /// $PackageInfo: require_system("centos") openssl-devel pkgconfig
 /// $PackageInfo: require_system("darwin") openssl pkg-config
+/// $PackageInfo: require_system("debian") libssl-dev openssl pkg-config
 /// $PackageInfo: require_system("ubuntu") libssl-dev openssl pkg-config
 
 
@@ -47,22 +48,32 @@
 
 #include <openssl/ssl.h>
 #include <openssl/err.h>
+#include <openssl/dh.h>
 
 #ifdef _WIN32
 # pragma comment(lib, "ssleay32.lib")
 # pragma comment(lib, "libeay32.lib")
 #endif
 
-#if ((OPENSSL_VERSION_NUMBER >= 0x10000000L) && (!(defined(OPENSSL_NO_ECDH))))
-// OpenSSL 0.9.8 includes some ECC support, but it's unfinished. Enable only for 1.0.0 and later.
-#define INSPIRCD_OPENSSL_ENABLE_ECDH
-#endif
-
-// BIO is opaque in OpenSSL 1.1 but the access API does not exist in 1.0 and older.
+// Compatibility layer to allow OpenSSL 1.0 to use the 1.1 API.
 #if ((defined LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L))
+
+// BIO is opaque in OpenSSL 1.1 but the access API does not exist in 1.0.
 # define BIO_get_data(BIO) BIO->ptr
 # define BIO_set_data(BIO, VALUE) BIO->ptr = VALUE;
 # define BIO_set_init(BIO, VALUE) BIO->init = VALUE;
+
+// These functions have been renamed in OpenSSL 1.1.
+# define OpenSSL_version SSLeay_version
+# define X509_getm_notAfter X509_get_notAfter
+# define X509_getm_notBefore X509_get_notBefore
+# define OPENSSL_init_ssl(OPTIONS, SETTINGS) \
+	SSL_library_init(); \
+	SSL_load_error_strings();
+
+// These macros have been renamed in OpenSSL 1.1.
+# define OPENSSL_VERSION SSLEAY_VERSION
+
 #else
 # define INSPIRCD_OPENSSL_OPAQUE_BIO
 #endif
@@ -129,7 +140,7 @@ namespace OpenSSL
 		{
 			// Sane default options for OpenSSL see https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
 			// and when choosing a cipher, use the server's preferences instead of the client preferences.
-			long opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_SINGLE_DH_USE;
+			long opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_SINGLE_DH_USE;
 			// Only turn options on if they exist
 #ifdef SSL_OP_SINGLE_ECDH_USE
 			opts |= SSL_OP_SINGLE_ECDH_USE;
@@ -161,7 +172,7 @@ namespace OpenSSL
 			return (SSL_CTX_set_tmp_dh(ctx, dh.get()) >= 0);
 		}
 
-#ifdef INSPIRCD_OPENSSL_ENABLE_ECDH
+#ifndef OPENSSL_NO_ECDH
 		void SetECDH(const std::string& curvename)
 		{
 			int nid = OBJ_sn2nid(curvename.c_str());
@@ -204,6 +215,45 @@ namespace OpenSSL
 			return SSL_CTX_load_verify_locations(ctx, filename.c_str(), 0);
 		}
 
+		void SetCRL(const std::string& crlfile, const std::string& crlpath, const std::string& crlmode)
+		{
+			if (crlfile.empty() && crlpath.empty())
+				return;
+
+			/* Set CRL mode */
+			unsigned long crlflags = X509_V_FLAG_CRL_CHECK;
+			if (crlmode == "chain")
+			{
+				crlflags |= X509_V_FLAG_CRL_CHECK_ALL;
+			}
+			else if (crlmode != "leaf")
+			{
+				throw ModuleException("Unknown mode '" + crlmode + "'; expected either 'chain' (default) or 'leaf'");
+			}
+
+			/* Load CRL files */
+			X509_STORE* store = SSL_CTX_get_cert_store(ctx);
+			if (!store)
+			{
+				throw ModuleException("Unable to get X509_STORE from SSL context; this should never happen");
+			}
+			ERR_clear_error();
+			if (!X509_STORE_load_locations(store,
+				crlfile.empty() ? NULL : crlfile.c_str(),
+				crlpath.empty() ? NULL : crlpath.c_str()))
+			{
+				int err = ERR_get_error();
+				throw ModuleException("Unable to load CRL file '" + crlfile + "' or CRL path '" + crlpath + "': '" + (err ? ERR_error_string(err, NULL) : "unknown") + "'");
+			}
+
+			/* Set CRL mode */
+			if (X509_STORE_set_flags(store, crlflags) != 1)
+			{
+				throw ModuleException("Unable to set X509 CRL flags");
+			}
+		}
+
+
 		long GetDefaultContextOptions() const
 		{
 			return ctx_options;
@@ -239,7 +289,7 @@ namespace OpenSSL
 		}
 	};
 
-	class Profile : public refcountbase
+	class Profile
 	{
 		/** Name of this profile
 		 */
@@ -284,15 +334,14 @@ namespace OpenSSL
 		 */
 		void SetContextOptions(const std::string& ctxname, ConfigTag* tag, Context& context)
 		{
-			long setoptions = tag->getInt(ctxname + "setoptions");
-			long clearoptions = tag->getInt(ctxname + "clearoptions");
+			long setoptions = tag->getInt(ctxname + "setoptions", 0);
+			long clearoptions = tag->getInt(ctxname + "clearoptions", 0);
 #ifdef SSL_OP_NO_COMPRESSION
 			if (!tag->getBool("compression", false)) // Disable compression by default
 				setoptions |= SSL_OP_NO_COMPRESSION;
 #endif
-			if (!tag->getBool("sslv3", false)) // Disable SSLv3 by default
-				setoptions |= SSL_OP_NO_SSLv3;
-			if (!tag->getBool("tlsv1", true))
+			// Disable TLSv1.0 by default.
+			if (!tag->getBool("tlsv1", false))
 				setoptions |= SSL_OP_NO_TLSv1;
 
 			if (!setoptions && !clearoptions)
@@ -306,11 +355,11 @@ namespace OpenSSL
 	 public:
 		Profile(const std::string& profilename, ConfigTag* tag)
 			: name(profilename)
-			, dh(ServerInstance->Config->Paths.PrependConfig(tag->getString("dhfile", "dh.pem")))
+			, dh(ServerInstance->Config->Paths.PrependConfig(tag->getString("dhfile", "dhparams.pem")))
 			, ctx(SSL_CTX_new(SSLv23_server_method()))
 			, clictx(SSL_CTX_new(SSLv23_client_method()))
 			, allowrenego(tag->getBool("renegotiation")) // Disallow by default
-			, outrecsize(tag->getInt("outrecsize", 2048, 512, 16384))
+			, outrecsize(tag->getUInt("outrecsize", 2048, 512, 16384))
 		{
 			if ((!ctx.SetDH(dh)) || (!clictx.SetDH(dh)))
 				throw Exception("Couldn't set DH parameters");
@@ -330,7 +379,7 @@ namespace OpenSSL
 				}
 			}
 
-#ifdef INSPIRCD_OPENSSL_ENABLE_ECDH
+#ifndef OPENSSL_NO_ECDH
 			std::string curvename = tag->getString("ecdhcurve", "prime256v1");
 			if (!curvename.empty())
 				ctx.SetECDH(curvename);
@@ -364,6 +413,12 @@ namespace OpenSSL
 				ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Can't read CA list from %s. This is only a problem if you want to verify client certificates, otherwise it's safe to ignore this message. Error: %s", filename.c_str(), lasterr.c_str());
 			}
 
+			// Load the CRLs.
+			std::string crlfile  = tag->getString("crlfile");
+			std::string crlpath  = tag->getString("crlpath");
+			std::string crlmode  = tag->getString("crlmode", "chain");
+			ctx.SetCRL(crlfile, crlpath, crlmode);
+
 			clictx.SetVerifyCert();
 			if (tag->getBool("requestclientcert", true))
 				ctx.SetVerifyCert();
@@ -458,7 +513,6 @@ class OpenSSLIOHook : public SSLIOHook
 	SSL* sess;
 	issl_status status;
 	bool data_to_write;
-	reference<OpenSSL::Profile> profile;
 
 	// Returns 1 if handshake succeeded, 0 if it is still in progress, -1 if it failed
 	int Handshake(StreamSocket* user)
@@ -558,7 +612,7 @@ class OpenSSLIOHook : public SSLIOHook
 		if (certinfo->issuer.find_first_of("\r\n") != std::string::npos)
 			certinfo->issuer.clear();
 
-		if (!X509_digest(cert, profile->GetDigest(), md, &n))
+		if (!X509_digest(cert, GetProfile().GetDigest(), md, &n))
 		{
 			certinfo->error = "Out of memory generating fingerprint";
 		}
@@ -567,7 +621,7 @@ class OpenSSLIOHook : public SSLIOHook
 			certinfo->fingerprint = BinToHex(md, n);
 		}
 
-		if ((ASN1_UTCTIME_cmp_time_t(X509_get_notAfter(cert), ServerInstance->Time()) == -1) || (ASN1_UTCTIME_cmp_time_t(X509_get_notBefore(cert), ServerInstance->Time()) == 0))
+		if ((ASN1_UTCTIME_cmp_time_t(X509_getm_notAfter(cert), ServerInstance->Time()) == -1) || (ASN1_UTCTIME_cmp_time_t(X509_getm_notBefore(cert), ServerInstance->Time()) == 0))
 		{
 			certinfo->error = "Not activated, or expired certificate";
 		}
@@ -579,7 +633,7 @@ class OpenSSLIOHook : public SSLIOHook
 	{
 		if ((where & SSL_CB_HANDSHAKE_START) && (status == ISSL_OPEN))
 		{
-			if (profile->AllowRenegotiation())
+			if (GetProfile().AllowRenegotiation())
 				return;
 
 			// The other side is trying to renegotiate, kill the connection and change status
@@ -621,12 +675,11 @@ class OpenSSLIOHook : public SSLIOHook
 	friend void StaticSSLInfoCallback(const SSL* ssl, int where, int rc);
 
  public:
-	OpenSSLIOHook(IOHookProvider* hookprov, StreamSocket* sock, SSL* session, const reference<OpenSSL::Profile>& sslprofile)
+	OpenSSLIOHook(IOHookProvider* hookprov, StreamSocket* sock, SSL* session)
 		: SSLIOHook(hookprov)
 		, sess(session)
 		, status(ISSL_NONE)
 		, data_to_write(false)
-		, profile(sslprofile)
 	{
 		// Create BIO instance and store a pointer to the socket in it which will be used by the read and write functions
 #ifdef INSPIRCD_OPENSSL_OPAQUE_BIO
@@ -720,7 +773,7 @@ class OpenSSLIOHook : public SSLIOHook
 		while (!sendq.empty())
 		{
 			ERR_clear_error();
-			FlattenSendQueue(sendq, profile->GetOutgoingRecordSize());
+			FlattenSendQueue(sendq, GetProfile().GetOutgoingRecordSize());
 			const StreamSocket::SendQueue::Element& buffer = sendq.front();
 			int ret = SSL_write(sess, buffer.data(), buffer.size());
 
@@ -778,7 +831,18 @@ class OpenSSLIOHook : public SSLIOHook
 		out.append(SSL_get_cipher(sess));
 	}
 
+	bool GetServerName(std::string& out) const CXX11_OVERRIDE
+	{
+		const char* name = SSL_get_servername(sess, TLSEXT_NAMETYPE_host_name);
+		if (!name)
+			return false;
+
+		out.append(name);
+		return true;
+	}
+
 	bool IsHandshakeDone() const { return (status == ISSL_OPEN); }
+	OpenSSL::Profile& GetProfile();
 };
 
 static void StaticSSLInfoCallback(const SSL* ssl, int where, int rc)
@@ -833,14 +897,14 @@ static int OpenSSL::BIOMethod::read(BIO* bio, char* buffer, int size)
 	return ret;
 }
 
-class OpenSSLIOHookProvider : public refcountbase, public IOHookProvider
+class OpenSSLIOHookProvider : public IOHookProvider
 {
-	reference<OpenSSL::Profile> profile;
+	OpenSSL::Profile profile;
 
  public:
-	OpenSSLIOHookProvider(Module* mod, reference<OpenSSL::Profile>& prof)
-		: IOHookProvider(mod, "ssl/" + prof->GetName(), IOHookProvider::IOH_SSL)
-		, profile(prof)
+	OpenSSLIOHookProvider(Module* mod, const std::string& profilename, ConfigTag* tag)
+		: IOHookProvider(mod, "ssl/" + profilename, IOHookProvider::IOH_SSL)
+		, profile(profilename, tag)
 	{
 		ServerInstance->Modules->AddService(*this);
 	}
@@ -852,15 +916,23 @@ class OpenSSLIOHookProvider : public refcountbase, public IOHookProvider
 
 	void OnAccept(StreamSocket* sock, irc::sockets::sockaddrs* client, irc::sockets::sockaddrs* server) CXX11_OVERRIDE
 	{
-		new OpenSSLIOHook(this, sock, profile->CreateServerSession(), profile);
+		new OpenSSLIOHook(this, sock, profile.CreateServerSession());
 	}
 
 	void OnConnect(StreamSocket* sock) CXX11_OVERRIDE
 	{
-		new OpenSSLIOHook(this, sock, profile->CreateClientSession(), profile);
+		new OpenSSLIOHook(this, sock, profile.CreateClientSession());
 	}
+
+	OpenSSL::Profile& GetProfile() { return profile; }
 };
 
+OpenSSL::Profile& OpenSSLIOHook::GetProfile()
+{
+	IOHookProvider* hookprov = prov;
+	return static_cast<OpenSSLIOHookProvider*>(hookprov)->GetProfile();
+}
+
 class ModuleSSLOpenSSL : public Module
 {
 	typedef std::vector<reference<OpenSSLIOHookProvider> > ProfileList;
@@ -880,8 +952,7 @@ class ModuleSSLOpenSSL : public Module
 
 			try
 			{
-				reference<OpenSSL::Profile> profile(new OpenSSL::Profile(defname, tag));
-				newprofiles.push_back(new OpenSSLIOHookProvider(this, profile));
+				newprofiles.push_back(new OpenSSLIOHookProvider(this, defname, tag));
 			}
 			catch (OpenSSL::Exception& ex)
 			{
@@ -902,17 +973,23 @@ class ModuleSSLOpenSSL : public Module
 				continue;
 			}
 
-			reference<OpenSSL::Profile> profile;
+			reference<OpenSSLIOHookProvider> prov;
 			try
 			{
-				profile = new OpenSSL::Profile(name, tag);
+				prov = new OpenSSLIOHookProvider(this, name, tag);
 			}
 			catch (CoreException& ex)
 			{
 				throw ModuleException("Error while initializing SSL profile \"" + name + "\" at " + tag->getTagLocation() + " - " + ex.GetReason());
 			}
 
-			newprofiles.push_back(new OpenSSLIOHookProvider(this, profile));
+			newprofiles.push_back(prov);
+		}
+
+		for (ProfileList::iterator i = profiles.begin(); i != profiles.end(); ++i)
+		{
+			OpenSSLIOHookProvider& prov = **i;
+			ServerInstance->Modules.DelService(prov);
 		}
 
 		profiles.swap(newprofiles);
@@ -922,8 +999,7 @@ class ModuleSSLOpenSSL : public Module
 	ModuleSSLOpenSSL()
 	{
 		// Initialize OpenSSL
-		SSL_library_init();
-		SSL_load_error_strings();
+		OPENSSL_init_ssl(0, NULL);
 #ifdef INSPIRCD_OPENSSL_OPAQUE_BIO
 		biomethods = OpenSSL::BIOMethod::alloc();
 	}
@@ -936,7 +1012,7 @@ class ModuleSSLOpenSSL : public Module
 
 	void init() CXX11_OVERRIDE
 	{
-		ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "OpenSSL lib version \"%s\" module was compiled for \"" OPENSSL_VERSION_TEXT "\"", SSLeay_version(SSLEAY_VERSION));
+		ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "OpenSSL lib version \"%s\" module was compiled for \"" OPENSSL_VERSION_TEXT "\"", OpenSSL_version(OPENSSL_VERSION));
 
 		// Register application specific data
 		char exdatastr[] = "inspircd";